b"\t\n                             \t\n                             \t\n                             \t\n                             \t\n                             \t\nAudit\tof\tNARA\xe2\x80\x99s\tIntrusion\tDetection\tand\tPrevention\tSystems\t\n                   and\tIncident\tResponse\t\n                              \t\n                              \t\n                OIG\tAudit\tReport\tNo.\t\t13\xe2\x80\x9012\n\t\n                              \t\n                              \t\n                    September\t10,\t2013\t\t\n\t               \t\n\x0cTable of Contents \n\n\n\nExecutive Summary ........................................................................................ 3\n\xc2\xa0\n\nBackground ..................................................................................................... 3\n\xc2\xa0\n\nObjectives, Scope, Methodology .................................................................... 6\n\xc2\xa0\n\nAudit Results................................................................................................... 9\n\xc2\xa0\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations ............................................... 26\n\xc2\xa0\n\nAppendix B - Management\xe2\x80\x99s Response to the Report ................................. 28\n\xc2\xa0\n\nAppendix C - Report Distribution List ......................................................... 29\n\xc2\xa0\n\x0c                                                                         OIG Audit Report No. 13-12\n\n\nExecutive Summary\n\nIntrusion detection and prevention systems (IDPSs) detect, monitor, analyze, and prevent\npossible malicious activity occurring in computer systems or a network. Incident\nresponse is a process to analyze and resolve an incident to minimize adverse effects. The\nNational Archives and Records Administration (NARA) Office of Inspector General\n(OIG) audited NARA\xe2\x80\x99s IDPSs and computer security incident response process to\ndetermine whether: (1) NARA\xe2\x80\x99s IDPSs had been properly implemented and are\noperating effectively; (2) appropriate logical and physical security, and environmental\nprotection controls are in place, and; (3) NARA\xe2\x80\x99s computer security incident response\nprocess is effective and efficient, including whether incident response staff are adequately\ntrained.\n\nIn general, it appears NARA\xe2\x80\x99s IDPSs are operating effectively, and incidents are\nappropriately handled. However, opportunities for improvement exist in areas including:\n\n(a) logical security and configuration of the host intrusion prevention system;\n(b) contract management and monitoring;\n(c) incident response and incident reporting to United States Computer Emergency\nReadiness Team (US-CERT); and\n(d) physical security controls on the host intrusion prevention servers.\n\nFirst, an excessive number of privileged user accounts existed on NARA\xe2\x80\x99s centralized\nhost-based intrusion prevention system (HIPS)1 and anti-virus management application,\nand the password policy was not systematically enforced for users at the application\nlevel. This left the application, rule sets, and data within the application vulnerable to\ninappropriate use, manipulation, or deletion. Also, not all machines connected to\nNARANet report to the centralized HIPS and anti-virus management application, making\nit difficult to assess and monitor the security status of the machines not reporting to the\napplication on a real-time basis.\n\nFurther, NARA had not effectively managed and monitored its contract with the Trusted\nInternet Connections (TIC) provider. This resulted in unmet Acceptable Quality Levels\n(AQLs) for a number of services; unclaimed service credits; and a disconnect among the\ncontractor, Designated Agency Representatives (DARs), and NARA\xe2\x80\x99s IT staff in\ntransferring and exchanging information pertinent to the security of NARA\xe2\x80\x99s IT\nenvironment.\n\n1\n A host-based intrusion prevention system is a type of IDPS that monitors characteristics of a single host\nand the events occurring within that host for suspicious activity (NIST SP 800-94, February 2007; p.9).\n                                            Page 3\n                         National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\n\nAdditionally, although network attacks evolve over time and are becoming more\nsophisticated, there is no process at NARA to ensure internal or external training is given\nto the Computer Incident Response Team (CIRT) so they remain up to date. Also, the\nincident handling process was not always monitored and supervised properly, causing\ndelayed resolution and reporting of incidents. Approximately 75% of sampled computer\nsecurity incidents reportable to US-CERT were not reported on time.\n\nAs part of this audit, we also reviewed non-electronic, paper-based disclosure of\npersonally identifiable information (PII) incidents. OMB Memorandum M-06-19\nspecifies US-CERT reporting should include all personally identifiable information (PII)\nincidents whether in electronic or physical form. Our review found a weakness related to\nNARA\xe2\x80\x99s handling of paper-based PII disclosure events, which is addressed in a separate\nreport (OIG Report No. 13-15).\n\nFinally, opportunities to improve physical security controls exist at NARA\xe2\x80\x99s computer\nroom at Archives II. Specifically: (1) the list of the individuals who have access to the\ncomputer room had not been reviewed on a periodic basis; (2) visitor logs were\nincomplete and had not been reviewed on a periodic basis; and (3) cables for certain\nservers were poorly organized without the use of any cable management tools such as\nlabels and ties.\n\nThis report contains 18 recommendations which, upon implementation, will enhance\nNARA\xe2\x80\x99s ability to secure its IDPS devices and respond to computer security incidents\neffectively.\n\n\n\n\n                                         Page 4\n                      National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 13-12\n\n\nBackground\n\nVarious organizations at NARA contribute to the security of its computing environment\nand electronic data. IT Security (IT) is responsible for the overall security of NARA\xe2\x80\x99s IT\nenvironment. IT Operations (IM) manages NARA\xe2\x80\x99s HIPS and anti-virus applications,\nconfiguration of the network-based intrusion detection system (NIDS)2, and the Networx\nUniversal program3. Both IT and IM are sub-organizations under the Office of\nInformation Services (I). The CIRT, comprised of NARA\xe2\x80\x99s IT Security and IT\nOperations staff, performs computer security incident response and reports incidents to\nUS-CERT and works with other investigative agencies when necessary. In addition,\nBusiness Support Services (B) oversees physical security and environmental protection\ncontrols for NARA\xe2\x80\x99s computing equipment stored in each NARA location, including the\nIDPS management and database servers.\n\nNARA also uses the intrusion detection/prevention and incident response services\nprovided by the TIC contractor in accordance with the Managed Trusted Internet Protocol\nServices (MTIPS) under the United States General Service Administration (GSA)\xe2\x80\x99s\nNetworx Universal program. The TIC contractor operates the NIDS and Security\nOperations Center (SOC). NARA\xe2\x80\x99s CIRT and the contractor\xe2\x80\x99s SOC interact with one\nanother in detecting, analyzing, and resolving computer security incidents. The TIC\ncontractor also provides a co-location service for NARA-owned firewalls and hosts the\nEINSTEIN4 enclave that includes the IDPS appliances maintained and operated by\nUnited States Computer Emergency Readiness Team (US-CERT).\n\nNARA is a subscribing agency of GSA\xe2\x80\x99s Networx Universal program, and selected the\nTIC contractor in October 2010. The contractor completed installation of the TIC at\nNARA in July 2011. According to GSA\xe2\x80\x99s Networx Service Level Agreement (SLA)\nManagement Guide, version 2.0, issued on April 30, 2009, it is the subscribing agency\xe2\x80\x99s\nrole to: (1) review the Monthly Compliance Reports submitted by the service provider;\n(2) identify discrepancies between the contract-required performance target and the actual\nperformance; and (3) apply for credit from the service provider for a failure to meet a\nperformance objective.\n\n\n2\n  A network-based intrusion detection system monitors network traffic for particular network segments and\nanalyzes the network activity to identify suspicious activity (NIST SP 800-94, February 2007; p.9).\n3\n  Networx offers managed security services through the MTIPS program, which complies with the Trust\nInternet Connections (TIC) initiative (http://www.dhs.gov/managed-trusted-internet-protocol-services.\n4\n  The Einstein program provides an automated process for collecting, correlating, analyzing, and sharing\ncomputer security information across the Federal Government to improve our nation's situational awareness\n(http://www.us-cert.gov/government-users/tools-and-programs).\n                                            Page 5\n                         National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 13-12\n\n\nUS-CERT requires Federal agencies to report computer incidents in accordance with\nspecified timeframes that vary depending on the category and severity of the incident. As\nof December 5, 2012, NARA had a total of 298 closed incidents in its incident\nmanagement system that were reportable or potentially reportable to US-CERT and\nsubmitted between July 28, 2011, and October 11, 2012. Distribution of the incidents by\nincident category and location of the ticket origination is shown on Table 1 below.\n\n               Table 1: Distribution of Incidents by Category and Ticket Origination\n\n                                 Disclosure    Malicious     Improper      Attempted                           Grand\n     Site\\Incident Category                                                               Investigation\n                                   of PII       Logic         Usage         Access                             Total\n    Archives I                                        10                                                              10\n    Archives II                         1985          56               2              4                 5            265\n    Carter Library                                     1                                                               1\n    Dayton                                             1                                                               1\n    Eisenhower Library                                 1                                                               1\n    Hoover Library                                     1                                                               1\n    Johnson Library                                    1                                                               1\n    Philadelphia                                       2                                                               2\n    Riverside                                          1                                                               1\n    Spanish Lake                                      12                                                              12\n    St Louis                                           1                                                               1\n    Suitland                                           1                                                               1\n    Valmeyer                                           1                                                               1\n    Grand Total                          198          89               2              4                 5            298\n\n\nPrevious audit engagements between fiscal years (FYs) 2005 and 2012 identified\nweaknesses in NARA\xe2\x80\x99s IDPSs and incident response process. These weaknesses\nincluded: (a) lack of host-based sensors to detect intrusions (OIG Audit Report No. 05-\n09, dated April 1, 2005); (b) inconsistent incident response approaches among the\nincident response team (Mandiant\xe2\x80\x99s Incident Response Program Enhancement Gap\nAnalysis, dated May 17, 2010); (c) partially deployed centralized HIPS and anti-virus\nmanagement system (Mandiant\xe2\x80\x99s Incident Response Program Enhancement Gap\nAnalysis, dated May 17, 2010); (d) lack of a process to manage and monitor the Service\nLevel Agreements (SLAs) associated with its Networx contract (OIG Audit Report No.\n11-17, dated September 30, 2011); and (e) open, unsecured network topology (IMRI\xe2\x80\x99s\nNetwork Discovery and Assessment Report, dated August 27, 2012).\n\n\n5\n  OMB Memorandum M-06-19 specifies US-CERT reporting should include all PII incidents whether in\nelectronic or physical form. Table 1 may include computer-based, electronic PII disclosures caused by loss\nor disclosure of encrypted or unencrypted PII data, and paper-based PII disclosures caused by mailing\nincorrect military/civilian records to the requesters. Archives II originates PII-related tickets for all offices.\n\n                                              Page 6\n                           National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 13-12\n\n\nObjectives, Scope, Methodology\n\nThe objective of this audit was to determine whether: (1) NARA\xe2\x80\x99s IDPSs had been\nproperly implemented and are operating effectively; (2) logical and physical security and\nenvironmental protection controls are in place to appropriately safeguard NARA\xe2\x80\x99s IDPS\ndevices and the data within them; and (3) NARA\xe2\x80\x99s computer security incident response\nprocess is effective and efficient, and the incident response staff are adequately trained.\nAdditionally, we included a review of the controls in place at NARA\xe2\x80\x99s TIC provider over\nthe IDPS and incident response process in our audit.\n\nTo accomplish our audit objective, we reviewed National Institute of Standards and\nTechnology (NIST) Special Publications 800-53 \xe2\x80\x9cRecommended Security Controls for\nFederal Information Systems and Organizations,\xe2\x80\x9d Revision 36, August 2009; 800-94\n\xe2\x80\x9cGuide to Intrusion Detection and Prevention Systems (IDPS) (Draft) ,\xe2\x80\x9d Revision 1, July\n2012; and 800-61 \xe2\x80\x9cComputer Security Incident Handling Guide\xe2\x80\x9d, Revision 2, August\n2012. We also reviewed previous audit and review reports including OIG Report No. 05-\n09 Audit of NARA\xe2\x80\x99s Intrusion Detection System, dated April 1, 2005; OIG Report No.\n10-07 Audit of NARA\xe2\x80\x99s Network Infrastructure, dated April 28, 2010; OIG Report No.\n11-17 Audit of the Trusted Internet Connections Initiative at NARA, dated September 30,\n2011; GAO\xe2\x80\x99s report on NARA\xe2\x80\x99s information security, dated November 2010; Mandiant\xe2\x80\x99s\nIncident Response Program Enhancement Gap Analysis, dated May 17, 2010; and OIG\nReport No. 12-11 Information Management Resources, Inc. (IMRI\xe2\x80\x99s) Network\nAssessment Report, dated August 27, 2012.\n\nWe judgmentally selected a sample of 80 security incidents that were reportable or\npotentially reportable to US-CERT, and were opened between October 2011 and October\n2012. We reviewed the sampled incident reports and email communications from/to US-\nCERT and the contractor to determine whether appropriate actions were taken to resolve\nand report the incidents effectively and efficiently.\n\nWe interviewed representatives of the Office of Information Services (I) and NARA\xe2\x80\x99s\nmain IT contract, the IT and Telecommunications Support Services (NITTSS) contract,\nand obtained and reviewed supporting documents as available and necessary. These\nsupporting documents included, but were not limited to, policies and procedures, network\ndiagrams, screenshots, physical and logical access lists, sample computer security\nincident reports, the Networx contract, Networx SLA Management Guide issued by GSA,\nthe TIC contractor\xe2\x80\x99s Monthly Compliance Reports, and third-party evaluation reports for\n\n6\n NIST SP 800-53, Revision 4, was issued in April 2013, which was after the fieldwork for this audit was\nsubstantially completed.\n                                            Page 7\n                         National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\nthe TIC contractor issued by Department of Homeland Security and an independent\npublic accounting firm. We visited two of the TIC contractor\xe2\x80\x99s data center facilities\nlocated in Sterling, VA, and had conference calls with individuals at the contractor\xe2\x80\x99s\nNetwork Operations Center (NOC) and Security Operations Center (SOC), located in\nArlington, VA, and San Diego, CA, respectively. We also visited one of NARA\xe2\x80\x99s\ncomputer rooms at Archives II to assess the physical security of NARA\xe2\x80\x99s in-house host-\nbased intrusion detection system servers.\n\nOur audit work was performed at Archives II in College Park, MD, between October\n2012 and June 2013. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\n                                        Page 8\n                     National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 13-12\n\n\nAudit Results\n\n\n1. Logical Security of the Host-Based IDS (HIPS) Needs to be\n   Strengthened\nOverall, we found the centralized HIPS and anti-virus management system (the system)\nappeared to function effectively. It uses the \xe2\x80\x9cpull\xe2\x80\x9d method7 to update the HIPS and anti-\nvirus signatures on a daily basis, using a digital signature algorithm signature verification\nsystem for data integrity. When events occur which the system cannot automatically\nhandle, it sends a notification email to NARA\xe2\x80\x99s IT security contractors with event details\nincluding the source Internet Protocol (IP) address, threat name, and detecting product\nname(s). The system can generate many types of queries and reports, such as a report\nincluding the signature update status of the servers and workstations. The management\nserver and database server of the system reside on a Virtual Local Area Network\n(VLAN), and users log on to the system using a HTTPS connection to secure the\ncommunication.\n\nHowever, a number of issues may prevent management from adequately securing the\nsystem, the machines managed through the system, and the machines not connected to\nthe system. Specifically, we found there are too many super users, password parameters\ndo not exist at the application level, the rule sets within the system had not been\nconsidered for customization, and only some of the machines connected to NARANet are\nconfigured to report to the system. These issues exist because management relies heavily\nupon the network-based intrusion detection system (NIDS) provided by the TIC\ncontractor and had put little emphasis on adequately securing the centralized HIPS and\nanti-virus management system and maximizing the use of the system. As a result, these\nsecurity issues present the risk of: (1) the users\xe2\x80\x99 accounts and the data within the system\nbeing compromised; (2) security events not being detected and prevented in a timely\nmanner; and (3) being unable to assess the security status of the machines not reporting to\nthe system on a continuous, real-time basis.\n\nToo Many Super Users\n\nNARA\xe2\x80\x99s Enterprise Architecture requires, in accordance with the Access Control (AC)\nfamily of the NIST Special Publication 800-53, that for data requiring moderate or high\n\n7\n  Pull is a style of network communication where the initial request for data originates from the client, and\nthen is responded to by the server.\n                                             Page 9\n                          National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 13-12\n\n\nconfidentiality, the NARA system owner shall employ the concept of least privilege.\nLeast privilege only allows authorized access for users which are necessary to accomplish\nassigned tasks in accordance with NARA missions and business functions. System\nowners shall also limit authorization for super user8 accounts on the information system\nto designated system administration personnel.\n\nWithin the centralized HIPS and anti-virus management system, we found that nine of the\n10 users had been granted global administrator rights. According to the product guide for\nthe system, the permissions exclusive to global administrators include: (a) creating,\nediting, and deleting source and fallback sites; (b) changing server settings; (c) adding\nand deleting user accounts; (d) adding, deleting, and assigning permission sets; and (e)\nimporting events into the database and limiting events stored there. The NARANet\nInformation System Security Officer (ISSO) stated the global administrator rights were\nrequired to run queries and reports. However, our review of the product guide found a\nregular user could be assigned to a permission set that allows the user to run queries and\nreports.\n\nGranting global administrator access to an excessive number of users presents the risk of\nrights being abused by one or more users and undesirable changes made to user accounts,\nrule sets, and other configurations. Those changes may result in: (1) a valid user unable to\nlog on to his/her account or unable to access certain functionalities necessary for their job\nresponsibility; (2) an intrusive attack going undetected or unanalyzed; and (3) diminished\nproductivity due to the need to reconfigure the system to its previous state.\n\nNonexistent Password Parameters\n\nNARA\xe2\x80\x99s Enterprise Architecture requires, in accordance with the Identity and\nAuthentication (IA) control family of the NIST Special Publication 800-53, that for all\ndata, the information system shall enforce minimum password complexity of a case-\nsensitive, 8-character mix of upper case letters, lower case letters, numbers, and special\ncharacters, including at least one of each. It also requires that the information system\nenforce at least a four-character change when new passwords are created, encrypts\npasswords in storage and in transmission, enforces password minimum and maximum life\ntime restrictions from one to 90 days, and prohibits reusing the previous five passwords\nfor unclassified information systems or 10 passwords for classified information systems.\n\nAlthough NARA\xe2\x80\x99s centralized HIPS and anti-virus management system requires a\nusername and password to log in, it does not systematically enforce any password\n8\n A super user, or a system administrator, is an account that has access to all files and can execute any type\nof command within the system. Global Administrator accounts within the centralized HIPS and anti-virus\nsystem are considered super users because they have read and write rights to all operations of the system.\n                                             Page 10\n                          National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-12\n\n\nparameters including length, complexity, and reuse restriction at the application level. We\nrequested a read-only user account for the system and attempted to change the password\nto one as simple as a \xe2\x80\x9c0.\xe2\x80\x9d The system accepted the password. Also, we were able to\nchange the password back to the original password without any restriction for reuse.\nAccording to the NARANet ISSO, the capability to enforce password parameters does\nnot exist within the system, which is a COTS (commercial off-the-shelf) limitation.\nHowever, our review of the product guide found there is an option to configure the\nsystem server to allow users to log on using Windows authentication, through which\nstronger password parameters could be enforced. According to the Chief Information\nSecurity Officer (CISO), the mitigation NARA had been depending on was a claim\npeople who have accounts on the system are believed to be \xe2\x80\x9ctrusted users,\xe2\x80\x9d who could be\nexpected to practice good password discipline.\n\nWe inquired with the NARANet Information System Security Officer (ISSO) whether\npasswords were encrypted within the system. According to NARA Directive 804.8, the\nISSO has the responsibility to ensure the appropriate operational security posture is\nmaintained for IT systems and programs. NARA\xe2\x80\x99s Enterprise Architecture requires\npasswords to be encrypted in storage and in transmission. The ISSO should be aware of\nthe requirement, and ensure the systems they manage are appropriately configured to\nmeet the security requirements. However, the NARANet ISSO was unable to answer\nwhether the passwords were encrypted. Not enforcing strong password parameters and\npassword encryption exposes the user accounts to the risk of being compromised, and\ncritical data necessary to investigate intrusive attacks within the system being\nmanipulated or deleted by an unintended user.\n\nDuring this audit, we communicated the issue of unenforced password parameters to\nsome of the key IT Security personnel, including the NARANet ISSO and CISO.\nAccording to the CISO, an option to implement more vigorous password policy is to have\nthe user accounts authenticate to the Novell e-Directory. According to CISO, he had\nnotified the NITTSS contractor to expect a request for a technical recommendation on\nthis implementation.\n\nCustomization Needed on HIPS Rules\n\nAccording to NIST Special Publication 800-94, most IDPSs require at least some tuning\nand customization, such as setting the prevention action to be performed for particular\nalerts, to improve their detection accuracy, usability, and effectiveness. NARA utilizes\nthe vendor\xe2\x80\x99s default \xe2\x80\x9cBasic Protection\xe2\x80\x9d option for its HIPS. According to the evidence\npresented, the Basic Protection option prevents events whose signature severity level is\n\xe2\x80\x9cHigh\xe2\x80\x9d but ignores any events with signature severity level of \xe2\x80\x9cMedium\xe2\x80\x9d, \xe2\x80\x9cLow\xe2\x80\x9d, or\n\xe2\x80\x9cInformation\xe2\x80\x9d. There are other protection options available including \xe2\x80\x9cEnhanced\n                                          Page 11\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\nProtection\xe2\x80\x9d and \xe2\x80\x9cMaximum Protection\xe2\x80\x9d within the system. The Enhanced Protection\nprevents events with signature levels of High and Medium, and the Maximum Protection\nprevents events with signature levels of High, Medium, and Low. According to the\nNARANet ISSO, NARA decided to adapt the vendor\xe2\x80\x99s default protection option and did\nnot consider implementing the other options. Selecting the option that only prevents the\n\xe2\x80\x9cHigh\xe2\x80\x9d events may not detect or prevent some of the actual intrusive attempts that could\npotentially have critical impact on the affected machine, the data within the machine, and\nthe network to which it is connected.\n\nCentralized Management System Not Fully Deployed\n\nAccording to NIST Special Publication 800-94, organizations should consider using\nmultiple types of IDPS technologies to achieve more comprehensive and accurate\ndetection and prevention of malicious activity, with lower rates of false positives and\nfalse negatives. Also, for most environments, a combination of network-based and host-\nbased IDPS technologies is needed for an effective IDPS solution. In Mandiant\xe2\x80\x99s Incident\nResponse Program Enhancement Gap Analysis conducted in 2010, Mandiant\nrecommended NARA deploy the HIPS application to all NARA Windows systems in all\ndomains, and deploy the centralized HIPS and anti-virus management system to all\nNARA Windows systems (servers, workstations, and laptops) in all domains. We found\nthe HIPS application is installed on the machines with Windows platforms that are\nconnected to NARANet. According to the NARANet ISSO, the non-Windows-platform\nmachines connected to NARANet have the antivirus software installed, but not the HIPS.\nWe also found that not all of the systems connected to NARANet interact with the\ncentralized HIPS and anti-virus management system to report events and receive\nsignature updates.\n\nNARA has a number of systems not reporting to the centralized HIPS and anti-virus\nmanagement system, including\n                                                                 are the systems critical to\nachieving NARA\xe2\x80\x99s mission as the nation\xe2\x80\x99s record keeper, and the FIPS 199 Risk Impact\nLevel of these systems for FY 2012 was \xe2\x80\x9cHigh.\xe2\x80\x9d According to the Senior IT Security\nSpecialist, these systems pass through the TIC contractor\xe2\x80\x99s network-based intrusion\ndetection system (NIDS) and NARA\xe2\x80\x99s internal firewalls to pass and receive external\ntraffic. However, these systems do not report to the centralized HIPS and anti-virus\nmanagement system, making it difficult to continuously monitor the security status of the\nmachines (e.g., whether an anti-virus program is installed and operating on the machine)\nor to centrally manage signature updates and event logs. Moreover, the FY 2012 FISMA\nevaluation revealed NARA had not developed and implemented fully integrated and\nresponsive continuous monitoring and auditing capabilities allowing the organization to\n\n                                         Page 12\n                      National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 13-12\n\n\nmanage risk more effectively and efficiently. With the lack of a fully integrated and\nresponsive continuous monitoring process for security of NARA\xe2\x80\x99s information systems,\nNARA is under the risk of compromised systems not being promptly detected and\nresolved.\n\nRecommendations\n\nWe recommend NARA\xe2\x80\x99s Chief Information Officer:\n\n    1.\t Evaluate the access requirements each user needs to perform their job\n        responsibilities, limit the global administrator privilege to only those whose job\n        responsibilities require the exclusive permissions, and establish permission groups\n        allowing users to access limited reports or functionalities within the system.\n    2.\t Systematically enforce password parameters for system users at the application\n        level consistent with NARA\xe2\x80\x99s Enterprise Architecture password requirements.\n    3.\t Consider re-evaluating the rule sets currently in use by the system for detection\n        accuracy and customizing them to potentially reduce the number of intrusive\n        attempts going undetected.\n    4.\t Consider conducting a cost-benefit analysis on deploying the system to all NARA\n        unclassified systems connected to the network.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n2. Contract Monitoring for MTIPS Needs Improvement\n\nNARA is a subscribing agency of GSA\xe2\x80\x99s Networx Universal contract, through which\nNARA selected a provider for its Trusted Internet Connections (TIC) services. According\nto GSA\xe2\x80\x99s website, the Managed Trusted Internet Protocol Service (MTIPS) program\nprovides managed security services compliant with Trusted Internet Connections\ninitiatives. NARA\xe2\x80\x99s TIC contractor started providing services in July 2011. From January\n2012 to December 2012, NARA paid a total of $3,236,853.26 (a monthly average of\n$269,737.77) for the entire contract.9\n\nOIG Audit Report No. 11-17, Audit of the Trusted Internet Connection Initiatives at\nNARA, dated September 30, 2011, revealed that a process had not been developed to\n\n\n9\n  The services provided by the contractor include co-located hosting of NARA\xe2\x80\x99s MTIPS devices,\nconfiguration/rule change management, intrusion detection/prevention security event notification, and\nsecurity incident reporting to NARA and US-CERT.\n                                            Page 13\n                         National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-12\n\n\nmonitor the contractor\xe2\x80\x99s performance. We found the process for monitoring the\ncontractor\xe2\x80\x99s performance is still yet to be fully developed. We also found there is a\ndisconnect among the contractor, Designated Agency Representatives (DARs), and\nNARA\xe2\x80\x99s IT staff in regard to how some of the contractor\xe2\x80\x99s responsibilities are being, or\nshould be, performed. This occurred because NARA relies heavily on GSA\xe2\x80\x99s monitoring\nand accreditation process, and had not developed a more vigorous contract monitoring\nand management process. As a result, we found the following, which are discussed in\nmore detail in the next sections:\n\n   \xef\x82\xb7   The actual performance data for a MTIPS service was not included in the\n       contractor\xe2\x80\x99s Monthly Compliance Reports for the entire period reviewed (January\n       2012 through December 2012);\n   \xef\x82\xb7   There were at least two instances within the period reviewed where the\n       Acceptable Quality Levels (AQLs) were not met by the contractor, for which\n       NARA could have requested credits; and\n   \xef\x82\xb7   NARA\xe2\x80\x99s key IT Security staff was not aware the intrusion prevention capability\n       was not enabled within the IDPS device for NARA\xe2\x80\x99s network.\n\nContract Management and Monitoring Process Not Fully Developed\n\nIn general, quality assurance surveillance plans should be prepared in conjunction with a\ncontract\xe2\x80\x99s statement of work. The plans should specify all work requiring surveillance,\nand the method of surveillance. NARA had prepared the Standard Operating Procedure\n(SOP) for TIC SLA Monitoring. However, it did not include the designation of the\nmonitoring duties to specific individuals or offices. According to the DARs for the\ncontract, the monitoring duties had not been formally assigned and communicated. We\nalso found that, although the contractor started providing the TIC service for NARA in\nJuly 2011, a number of the key IT Security staff at NARA, including the Chief\nInformation Security Officer (CISO and Deputy CISO, had not visited the contractor\xe2\x80\x99s\ndata centers, network operations center (NOC), or security operations center (SOC) for\ncontract oversight purposes.\n\nAccording to the CISO, NARA had been relying heavily on the fact the contractor was a\nvendor approved by GSA, and Networx is a GSA-managed contract. However, the\ncontract indicates it is the subscribing agency\xe2\x80\x99s role to provide oversight for the\ncontractor\xe2\x80\x99s performance. Further, the lack of a complete and comprehensive contract\nmonitoring process resulted in incomplete information on the Monthly Compliance\nReports, and unmet Service Level Agreements (SLAs) going undetected and undisputed\n(more details are discussed in \xe2\x80\x9cMonthly Compliance Reports are Not Fully\nReviewed\xe2\x80\x9d below).\n                                        Page 14\n                     National Archives and Records Administration\n\x0c                                                            OIG Audit Report No. 13-12\n\n\n\nFurthermore, there is a worksheet called a \xe2\x80\x9cSAN-TAN (Storage Area Network \xe2\x80\x93 Tape\nArea Network), which describes the server backup and tape storage procedures specific\nto each subscribing agency. A copy of the worksheet should be available via NARA\xe2\x80\x99s\nDARs. However, neither the DARs nor the IT Specialist who was involved in the\ninstallation process was familiar with the worksheet, and neither could provide a copy.\nAccording to the CISO, there was also a Memorandum of Understanding (MOU)\nbetween NARA and the contractor which described the security incident alerting rules.\nAlthough we contacted a number of individuals including the CISO, NARANet ISSO,\nand a DAR for the contract, none of the individuals were able to locate and provide a\ncopy of the document. We also noted that network-based intrusion prevention is not\nenabled for NARA\xe2\x80\x99s network environment. However, NARA\xe2\x80\x99s Senior IT Security\nSpecialist was not aware it was not enabled. According to the IT Specialist involved in\nthe TIC installation, there was additional cost associated with enabling intrusion\nprevention and NARA chose not to receive the service. However, this information was\nnot properly communicated to key IT Security staff.\n\nMoreover, there was an event in May 2013 with the attributes\n                         According to the NITTSS Security Team Lead, the attack\n                                            and was thwarted by the TIC provider\xe2\x80\x99s\nUTM device. However, per inspection of the screenshot including the rule set for the\n\n\n\n\nMonthly Compliance Reports Not Reviewed in Full\n\nAccording to the GSA Networx Service Level Agreement (SLA) Management Guide,\nGSA recommends agencies review the Agency-Specific SLA Monthly Compliance\nReports. The agency can then identify discrepancies between the contract-required\nperformance target and the actual performance, apply for credit within six months, ensure\nreceipt of SLA credit within two billing cycles, and escalate any unresolved SLA issue to\nGSA.\n\n\n                                        Page 15\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-12\n\n\nFrom January through December 2012, efforts were made to review the Monthly\nCompliance Reports, along with other internal reports, and submit credit requests for\nnetwork outage incidents. However, information on the reports for other services had not\nbeen reviewed for completeness and accuracy, resulting in: (1) undetected missing actual\nperformance values for a product for the entire period reviewed; and (2) unapplied SLA\ncredits for at least two instances.\n\n \xe2\x80\x9cMTIPS \xe2\x80\x93 Transport Collection and Distribution\xe2\x80\x9d is a product listed on the Monthly\nCompliance Reports, where the contractor\xe2\x80\x99s performance and availability of security\nincident reporting to US-CERT are measured. We found the actual availability and\nperformance data were not included on the reports for the entire period reviewed\n(December 2011 was the last month where the actual data were included on the report).\nAccording to the contractor, the data was missing due to an issue with the contractor\xe2\x80\x99s\ndatabase inventory which led to a failure to automatically populate the data on the\nreports. However, NARA had not contacted the contractor regarding the missing data so\nthe reports could be corrected. NARA currently does not have any other mechanism to\nmeasure if the contractor\xe2\x80\x99s security incident reporting was performed or made available\nwithin the Acceptable Quality Levels (AQLs). Therefore, not reviewing this section of\nthe reports resulted in potential loss of SLA credits and inability to confirm whether\nsecurity incident reporting was performed in accordance with contract requirements.\n\nAdditionally, the contractor\xe2\x80\x99s actual performance values for other products had not\nalways met the AQLs. However, NARA had not been actively reviewing the reports for\nall unmet AQLs, nor had they developed a process to identify the cause of and solution\nfor the unmet AQLs. As a result, corresponding SLA credit request forms were not\nsubmitted for those unmet AQLs. At least one of the Key Performance Indicators (KPIs)\npertinent to security of the network had not met the AQL for two consecutive months\nduring the period reviewed. In April and May 2012, the KPI \xe2\x80\x9cEvent Notification\xe2\x80\x9d for\nmedium priority under the Managed Firewall Service had actual performance values of\n7.25 hours and 5.50 hours, respectively, which were not within the AQL of 4.0 hours.\nAccording to the contractor, this KPI is defined as the time taken between the detection\nof an event from the firewall and reporting the event to the subscribing agency. Reporting\nfirewall events to the agency within the AQL is essential to securing NARA\xe2\x80\x99s network\nenvironment and data because it enables timely analysis and resolution of the incident\nbefore further harm is done to the network. In addition, credit requests for these unmet\nSLAs were not made, and the Designated Agency Representatives (DARs) were not able\nto provide specific information on how to submit a credit request for this type of unmet\nAQL, or what credit amount would be due to NARA.\n\n\n\n                                        Page 16\n                     National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\nAccording to the Networx SLA Management Guide, if the contractor fails to meet any of\nthe KPIs for an SLA for a given month, the agency is entitled to a credit of 12.5% of the\nMonthly Recurring Cost (MRC), and 25% and 50% of the MRC for the second and third\nconsecutive months for which the SLA was not met. We found from the contractor\xe2\x80\x99s\nsummaries of services that the MRC for Managed Firewall Service for the months of\nApril and May 2012 was $2,056.55. Thus the credit amount for these unmet SLAs is\nestimated to be $2,056.55 x (12.5% + 25%) = $771.21, which could have been put to\nbetter use. Also, NARA might have been entitled to potential, additional credit if: (1) the\nactual performance values of the MTIPS \xe2\x80\x93 Transport Collection and Distribution SLA\nwere properly populated on the Monthly Compliance Reports; (2) NARA had been\nreviewing the Monthly Compliance Reports and monitoring the contractor\xe2\x80\x99s performance\non the SLA; and (3) any unmet AQLs were identified and notified to the contractor.\nHowever, as the actual performance values for the SLA were not included on the\nMonthly Compliance Reports and NARA did not independently track the actual\nperformance values, we were unable to determine the amount of the potential lost credit.\n\nRecommendations\n\nWe recommend NARA\xe2\x80\x99s Chief Information Officer:\n\n   5.\t Develop a comprehensive quality assurance surveillance plan that includes the\n       services provided by the contract, surveillance methods for each service, and\n       designation of the surveillance/monitoring duties to appropriate individuals or\n       offices.\n   6.\t Develop a comprehensive method to verify that the actual performance data\n       included on the contractor\xe2\x80\x99s Monthly Compliance Reports is complete and\n       accurate for each service provided by the contractor.\n   7.\t Develop a comprehensive process to ensure SLA credits are requested in a timely\n       manner by designated individuals at NARA, and to verify whether the amount of\n       credit received is accurate based on the SLA type and number of consecutive\n       months the SLA miss occurred.\n   8.\t Request corrected Monthly Compliance Reports including the actual performance\n       values for all services NARA procured from the contractor for the last six months,\n       review the reports to determine whether there were any unmet SLAs for which\n       NARA would be entitled to a credit, and request the identified credit(s), if any, in\n       accordance with the contract.\n   9.\t Create a process to ensure information pertinent to performance of the contract,\n       including agreed-upon procedures for securing the network, is properly\n       communicated to and from the contractor and among the individuals at NARA\n       whose job responsibilities require attention to such information.\n\n                                        Page 17\n                     National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-12\n\n\n   10. Perform a cost-benefit analysis for enabling the intrusion prevention option for\n       the network-based IDPS.\n   11. Evaluate the rule sets of the IDPSs for NARA\xe2\x80\x99s network on a periodic basis to\n       ensure proper rules have been selected and enabled to effectively detect and\n       prevent intrusive attacks.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n3. Improvement is Needed on Incident Response, Reporting,\n   and Training\n\nOverall, NARA\xe2\x80\x99s computer incident response and reporting appeared to be operating\neffectively. NARA\xe2\x80\x99s Computer Incident Response Team (CIRT) and the TIC provider\xe2\x80\x99s\nSecurity Operations Center (SOC) make collective efforts to detect, prevent, resolve, and\nreport computer security incidents. We judgmentally selected a sample of 80 security\nincidents opened from October 2011 through October 2012. We then reviewed the\nincident reports in NARA\xe2\x80\x99s incident management system, email communications from/to\nUS-CERT regarding the incidents, and made inquiries as necessary with the NARANet\nISSO to obtain more details on the incidents. The majority of the computer security\nincidents sampled were entered in the incident management system and brought to the\nCIRT\xe2\x80\x99s attention in a timely manner, correctly categorized into the US-CERT-specified\nincident categories, and resolved through the appropriate resolution process.\n\nOpportunities for improvement do exist in the management and monitoring process for\nincident response, reporting incidents to US-CERT, and providing the CIRT team with\ninternal and/or external training on incident response. We also found control\nenhancement is needed to appropriately handle paper disclosure of personally identifiable\ninformation (PII). The following are issues we identified in these areas, which are\ndiscussed in more detail in the next sections:\n\n   1) 60 of the 80 sampled incidents (75%) were not reported to US-CERT within the\n      specified timeframes.\n   2) The resolution process for a number of incidents included unjustified time gaps\n      ranging from one month to over one year.\n   3) Incident response training and exercises had not been conducted on a periodic\n      basis to keep the staff up to date with the most recent patterns of cyber attacks and\n      remediation methodologies.\n\n                                        Page 18\n                     National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 13-12\n\n\n     4) In case of a paper PII disclosure, there is no process ensuring copies of the \n\n        documents containing PII are properly disposed of or returned. \n\n\nThese issues existed because the policies and procedures on incident response, reporting,\nand training are not clearly defined, effective, or properly followed. As a result, NARA\nmay be at risk of: (a) not being able to promptly and effectively resolve and/or report\nincidents to minimize the impact within the Agency and across the government\nenvironment; and (b) allowing inappropriate access to and use of the PII disclosed to an\nunintended user.\n\nUntimely Reporting of Incidents to US-CERT\n\nUS-CERT specifies the timeframes within which a computer security incident should be\nreported to US-CERT. They vary between one hour and one month from discovery,\ndepending on the category and severity of the incident. For example, Category 3,\nMalicious Code events should be reported daily or within one hour of discovery if the\nevent is widespread across the agency. Reports of computer incidents should include a\ndescription of the incident or event using the appropriate taxonomy. They should also\ninclude as much of the following information as possible: agency name, point of contact,\nincident category type, incident date and time, source and destination IPs, and operating\nsystem. However, reporting should not be delayed to gain additional information.10\n\nOf the 80 sampled incident reports and their corresponding email communications\nfrom/to US-CERT, only 19 incidents were reported to US-CERT within the specified\ntimeframes. These were comprised of Categories 3, 4, and 5 incidents and Disclosure of\nPII.11 Only one of the 61 Category 3, Malicious Code events in the sample was reported\nto US-CERT within the suggested 24 hours of discovery. Of the rest, 58 incidents were\nreported between two and 39 days past the timeframe, one incident was reported 158\ndays past the timeframe, and one incident was re-categorized into a non-reportable event.\nAlso, there was one incident initially categorized as a Category 6, non-reportable\nincident, which was then re-categorized into Category 3. This incident was then reported\n398 days past the suggested timeframe for Category 3 incidents. Overall, the late\nreporting was caused by one or more of the following:\n\n\n\n\n10\n  http://www.us-cert.gov/government-users/reporting-requirements\n11\n  Disclosure of PII events are reported to US-CERT using various incident categories depending upon the\nnature and method of the disclosure. Our sample contained a total of 14 PII disclosure incidents, and one of\nthe incidents was a computer-based, Category 4 incident and the rest were paper-based, Category 6\nveteran/civilian PII disclosure incidents caused by sending incorrect documents to the recipients.\n                                            Page 19\n                         National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 13-12\n\n\n     1) The incident resolution process had a lag time between steps (for example, from\n        completion of malware scanning on the infected machine to re-baselining it to the\n        original state and/or from resolution of the incident to reporting it to US-CERT).\n     2) NARA generally attempted to gather more comprehensive information about the\n        incident before the report was sent to US-CERT.\n     3) Security incident tickets, opened and closed, had not been reviewed on a regular\n        basis to determine whether appropriate actions had been taken to successfully\n        resolve the incident and report it to US-CERT in accordance with the guidelines.\n\nFor example, for the incident reported 158 days past the suggested timeframe, we found it\nwas first submitted into the incident management system on February 23, 2012, for a\npotentially infected workstation. The vulnerability assessment was not completed until\nMarch 9, 2012. Then there was an approximately 3-month gap between the date of\nvulnerability assessment completion, and scheduling of a re-baselining of the workstation\non June 19, 2012. The NARANet ISSO was unable to recall what happened between\nthese two dates. In addition, another gap existed between the completion of re-baselining\nthe workstation and reporting it to US-CERT, which was not done until July 31, 2012.\n\nAnother example reviewed was from an incident initially categorized as a non-reportable,\nCategory 6, Investigation event which was later re-categorized into a Category 3,\nMalicious Code event, according to the NARANet ISSO.12 This event was detected and\nbrought to NARA\xe2\x80\x99s attention by the Security Operations Center of the TIC contractor on\nNovember 7, 2011, and involved                                             Although the\nhost was scanned for viruses, re-imaged, and redeployed within three days of the initial\ndetection, the incident was not reported to US-CERT until December 10, 2012, which\nwas 398 days past the suggested reporting timeframe for Category 3 incidents. According\nto the NARANet ISSO, this occurred because the helpdesk technician incorrectly closed\nthe incident ticket, which was reopened during a review of the open and resolved security\ntickets.\n\nUS-CERT\xe2\x80\x99s mission is to improve the nation\xe2\x80\x99s cybersecurity posture, coordinate cyber\ninformation sharing, and proactively manage cyber risk to the nation. As such, untimely\nreporting of the incidents may prevent US-CERT and other investigative agencies from\npromptly investigating the incident to minimize the impact across the government\nenvironment.\n\n\n\n\n12\n  The list of the incident reports provided did not reflect the later re-categorization; therefore, this\nremained as a Category 6 incident in our sample.\n                                              Page 20\n                           National Archives and Records Administration\n\x0c                                                               OIG Audit Report No. 13-12\n\n\nTraining and Exercises Not Provided on a Periodic Basis\n\nNARA\xe2\x80\x99s Enterprise Architecture requires that the NARA system owner or ISSO shall\ntrain personnel in their incident response roles and responsibilities with respect to the\ninformation system, and provide refresher training at least annually. According to NIST\nSpecial Publication 800-61 Rev. 2, the incident response team members need much\nbroader knowledge than most IT staff members because they work with many facets of\nIT, and they must understand how to use the tools of incident response. In Mandiant\xe2\x80\x99s\nIncident Response Program Enhancement Gap Analysis conducted in 2010, Mandiant\nfound several members of the NARA group had indicated they do not have a consistent\napproach to addressing incidents from one person to another. Instead, the individuals\xe2\x80\x99\nknowledge dictated how each person would approach any particular investigation.\nMandiant recommended one or more simple exercises should be scheduled to allow the\nparticipants to practice collecting data, analyzing data, and developing a\nrecovery/remediation plan.\n\nWe found that, although it is required in NARA\xe2\x80\x99s Enterprise Architecture, the annual\ntraining or exercises on incident response had not been provided to the individuals who\nperform or support computer security incident handling. According to the Senior IT\nSecurity Specialist, the last exercise on incident response was conducted by Mandiant in\nJune 2010, and other in-house exercises had not been conducted since then. This occurred\nbecause, although there is a policy to conduct the training on an annual basis, the process\nto ensure the trainings and exercises are conducted as required had not been established.\nFurther, according to the CISO, although most CIRT members occasionally attend\nexternal training to maintain their certifications, there is no formalized policy at NARA\nrequiring CIRT members attend training on matters related to cyber attacks and\nremediation measures.\n\nAs cyber attacks evolve and the patterns of attacks change over time, it is important to\nensure the individuals performing intrusion detection and incident response are\nadequately trained on how to detect and handle the incidents more effectively and\nefficiently. Failure to keep the staff updated, refreshed, and trained on the attack/incident\ntypes/patterns and handling them may result in: (1) a potential attack going undetected or\nonly partially detected; and (2) the detected attack not being mitigated fully and timely\nbefore it has substantial impact to the host(s) and network.\n\n      . According to the CISO, NARA\xe2\x80\x99s network-based intrusion detection system\nNIDS provided by the TIC contractor\n\n\n\n                                         Page 21\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\n                 Later, Mandiant was contracted to perform a threat assessment for the\nAPT events and discovered\n\nRecommendations\n\nWe recommend NARA\xe2\x80\x99s Chief Information Officer:\n\n   12. Ensure the preliminary reporting of all incidents and events reportable to US-\n       CERT is made within the US-CERT-specified timeframes. Further details on the\n       incident or event gathered after the original reporting should be communicated to\n       US-CERT as an update, rather than delaying the original reporting to gather\n       information.\n   13. Ensure the resolution process for a computer incident is appropriately monitored\n       and reviewed on a timely and periodic basis to minimize erroneously closed\n       incident tickets and the unnecessary time gaps between the resolution steps.\n   14. Ensure incident response tabletop exercises are conducted for staff performing\n       and/or supporting computer security incidents on at least an annual basis, and\n       practical and relevant topics to NARA\xe2\x80\x99s computing environment are covered\n       within the exercises.\n   15. Develop a policy for CIRT members to take training at least on an annual basis to\n       ensure they remain up to date with current patterns/types of cyber attacks and\n       effective, efficient incident remediation methodologies.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n4. Physical Security of the IDS Devices Needs Improvement\n\nDuring this audit, we visited three data center/computer room facilities including the\ncomputer room at Archives II, and two of the TIC contractor\xe2\x80\x99s data centers in Sterling,\nVA, to observe the physical security of the intrusion detection and prevention devices.\nThe management server and database server for the centralized HIPS and anti-virus\nmanagement system were hosted in the computer room at Archives II, and the inner and\nouter firewalls for the network were located in the contractor\xe2\x80\x99s data centers, one in each\nlocation. To assess the physical security and environmental safety controls for these\nfacilities and the IDS devices in them, we primarily used the controls found in NIST\nSpecial Publication 800-53. In addition, we used SANS Institute\xe2\x80\x99s Data Center Physical\nSecurity Checklist, dated December 1, 2001, as a reference to determine the controls to\nbe assessed for each data center facility. For the contractor\xe2\x80\x99s data centers, we reviewed a\n\n                                         Page 22\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\nnumber of reports prepared by third-party independent assessors, including DHS\xe2\x80\x99s\nCyberSecurity Capability and Compliance Validation reports and the SSAE No. 16 Type\nII reports prepared by an independent public account firm. Inquiries were also made with\nboth the NARA and contractor individuals to obtain necessary information and\nsupporting documents.\n\nThe physical security and environment controls at the contractor\xe2\x80\x99s data centers appeared\nto be adequately designed and operating effectively in accordance with NIST Special\nPublication 800-53 in areas including: (1) securing monitoring the centers and the IDS\ndevices; (2) physical access authorization and review; (3) visitor access controls; (4) fire\nsuppression and water leakage controls; (5) temperature and humidity controls; and (6)\nstorage of backup tapes. NARA also had some excellent controls in securing and\nsafeguarding the computing equipment within the computer room at Archives II\nincluding the use of locked cabinets for its computer equipment, monitoring of the\ncomputer room through surveillance cameras, temperature and humidity controls, and fire\nsuppression. However, we noted opportunities exist to better secure and safeguard\nNARA\xe2\x80\x99s computing equipment from inappropriate access, destruction, theft, or\nunavailability. Specifically, the following conditions exist for the Archives II computer\nroom, and are expanded upon below:\n\n   \xef\x82\xb7   The physical access list is not reviewed on a periodic basis.\n   \xef\x82\xb7   The visitor log is not reviewed on a periodic basis.\n   \xef\x82\xb7   Cables within the cabinets are poorly organized and unlabeled.\n\nThese conditions exist because NARA had not always followed the policies documented\nin the Enterprise Architecture, the security controls recommended in NIST Special\nPublications including 800-53, or the specific policies and procedures for certain controls\nhad not been fully developed and documented. As a result, NARA\xe2\x80\x99s computing\nequipment in the Archives II computer room may be at risk of: (1) inappropriate and\nunauthorized use; and (2) theft, destruction, damage, or unavailability.\n\nPhysical Access Review Not Performed on a Periodic Basis\n\nNARA\xe2\x80\x99s Enterprise Architecture states, in accordance with the Physical and\nEnvironmental Protection (PE) control family of NIST Special Publication 800-53, that\nthe NARA Space and Security Management Division shall review and approve the\nphysical access list and authorization credentials. Personnel no longer requiring access\nare to be removed. This must be done within the frequency defined in the System\nSecurity Plan (SSP) for unclassified information systems, or at least annually for\nclassified information systems. According to the NARANet ISSO, although the physical\n                                         Page 23\n                      National Archives and Records Administration\n\x0c                                                              OIG Audit Report No. 13-12\n\n\naccess review has been performed at least annually since 2010, there is no documented\nprocess for conducting the review. Based on the supporting documents provided, the two\nmost recent reviews prior to this audit were conducted in August 2010 and March 2011.\nAnother review was conducted during this audit in November 2012, as a response to our\nrequest for a copy of the physical access list. In this review, management found three\nindividuals who were granted access to the computer room by clerical errors.\n\nNARA\xe2\x80\x99s centralized HIPS and anti-virus management system is an unclassified\nsubsystem within NARANet, according to the NARANet ISSO. Although NARA\xe2\x80\x99s\nEnterprise Architecture requires physical access reviews within the frequency defined by\nthe SSP, the SSP for neither the NARANet GSS Application Servers nor the Common\nControls defined the frequency. Not having documented, specific procedures for\nreviewing the physical access list may lead to: (1) failure to review the list on a regular\nbasis; (2) access granted due to clerical or systematic errors going undetected; (3)\nindividuals no longer requiring access not being removed from the list in a timely\nmanner; and (4) data damage, loss, or manipulation caused by (2) or (3) above.\n\nVisitor Log Not Reviewed\n\nNARA\xe2\x80\x99s Enterprise Architecture states, in accordance with the Physical and\nEnvironmental Protection (PE) control family of NIST Special Publication 800-53, the\nNARA Space and Security Management Division shall review visitor access records.\nThis must be done within the SSP-defined frequency for unclassified information\nsystems, and at least every 90 days for classified information systems. NARA maintains a\nvisitor log book at the front desk of the computer room at Archives II. However, the SSP\nfor neither the NARANet GSS Application Servers nor the Common Controls defined a\nfrequency for review of the log. According to the NARANet ISSO, there is not a process\nto review visitor logs periodically.\n\nAs of December 4, 2012, there were 26 entries filled out by the visitors from July 21,\n2012 through December 3, 2012. However, not all of the entries included all the required\ninformation. For example, three entries were missing the dates of visits, seven were\nmissing a NARA contact person, four were missing the NARA organization, 13 were\nmissing reasons for the visits, and seven were missing the exit times. Additionally,\nalthough the log book instructs visitors to include detailed reason for the visit and not to\nwrite \xe2\x80\x9cwork,\xe2\x80\x9d 10 of the entries only included generic descriptions as \xe2\x80\x9cserver\xe2\x80\x9d or\n\xe2\x80\x9cservice.\xe2\x80\x9d Incomplete and/or inaccurate information regarding the visit may lead to less\nauditability in the event of unauthorized or inappropriate access to the equipment and any\nconsequences, including destruction or removal of the equipment and data spoilage.\n\n\n                                         Page 24\n                      National Archives and Records Administration\n\x0c                                                             OIG Audit Report No. 13-12\n\n\nImprovement Opportunities in Cable Management\n\nNIST Special Publication 800-53 recommends employing clearly identified and\nphysically separated cable trays as a control enhancement to protect against unauthorized\nphysical connections. The Network Discovery and Assessment Report completed by\nIMRI in August 2012 revealed NARA did not tag cables so that the network\nadministrator would be able to determine the source and destination of every cable\nattached to a switch or server. We inspected the back of NARA\xe2\x80\x99s centralized HIPS and\nanti-virus management database servers and found the cables connected to the servers\nwere unlabeled and poorly organized without any cable ties (see Figure 1: Back of the\nHIPS and anti-virus Management and Database Servers below). The unlabeled and\npoorly organized cables may result in: (1) diminished productivity by not being able to\nquickly identify the source and destination of each cable; (2) damage to the cables\ncausing unavailability of the service; and (3) the cables being frayed, exposing energized\nwires, causing a fire hazard.\n\n\n\n\n   Figure 1: Back of the HIPS and Anti-virus Management and Database Servers\n\n\n                                        Page 25\n                     National Archives and Records Administration\n\x0c                                                           OIG Audit Report No. 13-12\n\n\nRecommendations\n\nWe recommend NARA\xe2\x80\x99s Chief Information Officer:\n\n   16. Fully develop and document a process for reviewing the list of individuals with\n       access to systems hosted in NARA\xe2\x80\x99s computer rooms, define the frequency of the\n       review in accordance with system categorization and availability requirements,\n       and ensure the frequency is properly documented in the system\xe2\x80\x99s SSP.\n   17. Fully develop and document the process for reviewing visitor logs for NARA\xe2\x80\x99s\n       computer rooms, including clearly defined review frequencies and assignment of\n       the duties to appropriate individuals for performing, reporting, and acting upon\n       the review (when corrective/investigative actions are needed).\n   18. Fully develop and document the policies and procedures for a cable management\n       system, including labeling, using proper cable ties and/or trays, and periodic\n       inspection of the cables, for the HIPS and anti-virus management system.\n\nManagement Response\n\nManagement concurred with the recommendations.\n\n\n\n\n                                       Page 26\n                    National Archives and Records Administration\n\x0c                                                OIG Audit Report No. 13-12\n\n\nAppendix A \xe2\x80\x93 Acronyms and Abbreviations\nAC        Access Control\nAPT       Advanced Persistent Threat\nAQL       Acceptable Quality Level\nCIRT      Computer Incident Response Team\nCISO      Chief Information Security Officer\nCMRS      Case Management and Reporting System\nCOTS      Commercial Off-the-shelf\nDoS       Denial of Service\nDDoS      Distributed Denial of Service\nDHS       Department of Homeland Security\nERA       Electronic Records Archives\nGSA       United States General Service Administration\nGSS       General Support Services\nHIPS      Host Intrusion Prevention System\nHTTPS     Hypertext Transfer Protocol Secure\nIA        Identity and Authentication\nIDS       Intrusion Detection System\nIDPS      Intrusion Detection and Prevention System\nIP        Internet Protocol\nIPS       Intrusion Prevention System\nISSO      Information System Security Officer\nKPI       Key Performance Indicator\nMPLS      Multiprotocol Label Switching\nMTIPS     Managed Trusted Internet Protocol Service\nNARA      National Archives and Records Administration\nNIDS      Network-based Intrusion Detection System\nNIST      National Institute of Standards and Technology\nNITTSS    NARA Information Technology and Telephone Support Services\nNOC       Network Operations Center\nNPRC      National Personnel Records Center\nOFAS      Order Fulfillment and Accounting System\nPE        Physical and Environmental Protection\nPII       Personally Identifiable Information\nRCPBS     Records Center Program Billing System\nSLA       Service Level Agreement\nSOC       Security Operations Center\nSSP       System Security Plan\nTCP       Transmission Control Protocol\nTIC       Trusted Internet Connections\nUS-CERT   United States Computer Emergency Readiness Team\nUTM       Unified Threat Management\nVLAN      Virtual Local Area Network\n\n\n                              Page 27\n           National Archives and Records Administration\n\x0cAppendix B - Management\xe2\x80\x99s Response to the Report \n\n\n\n\n\n    L NATIONAL\n      ARCHIVES\n\n\n\n          Date:                  SEP. 0 5 2013\n          To:                James Springs, Acting Inspector General\n          From:              DavidS. Ferriera, ArchMst of the United States\n          Subject:      DRAFT OIG Report 13-12, Audit of NARA's Intrusion Detection and Prevention\n          Systems and Incident Response (IDS)\n\n\n          Thank you for the opportunity to review ttle subject draft report. We appreciate your time in\n          reviewing our informal comments and making some clarifying adjustments.\n\n          We concur with each of the 18 recommendations and will address them further in our action\n          plan. If you have any questions about this response, please contact Mary Drak at 301-837-\n          1668 or at mary.drak@nara.gov.\n\n\n\n\n       ~L~Archivist of the United States\n\n\n\n\n     NAT I ONA L ARCH I VES and\n     RECORDS ADM I NIS T R .~T I ON\n\n        860 1 ADElPHI ROAD\n     COLLEm PARK. MD 20740-600 1\n           www.archfves . go~\xc2\xb7\n\x0c                                                          OIG Audit Report No. 13-12\n\n\nAppendix C - Report Distribution List\n\n\nArchivist of the United States\nDeputy Archivist of the United States\nChief Information Officer\nChief Operating Officer\n\n\n\n\n                                        Page 29\n                     National Archives and Records Administration\n\x0c"